Due: Tuesday, May 20
(a) Explain what are httpOnly cookies.
(b) What attack are httpOnly cookies intended to prevent? Give an example attack that does not work if the site uses httpOnly cookies, but works with normal cookies.
(c) Show that httpOnly cookies do not eliminate the class of attacks from part (b). Give an example where httpOnly cookies do not improve security.
(a) State the same origin policy as it applied to the DOM, as clearly and precisely as you can, in one or two sentences. Do the same for the same origin policy as it applies to cookies.
(b) Why is it consistent with the same-origin policy for content from site A to include an image (such as <img src="http://anothersite.com/picture.jpg" >) from another site B?
(c) Suppose that web pages from several sites request images from TripleClick.com. Explain how each site can pass TripleClick some information about the content of the page that will contain the image. Write a variant of the HTML <img src="http://tripleclick.com/picture.jpg" > that passes information to TripleClick as part of the request for a picture.
(d) How can TripleClick use the requests you described in part (c) to build up a database of interests of each web user? Explain the browser mechanism that will let TripleClick tell if two requests for images come from the same user and machine, even if the user changes IP addresses.
String mname = request.getParameter("month"); String uid = session.getCurrentUserId()); PreparedStatement pstmt = conn.prepareStatement ("SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=" + uid + " AND order_month=" + mname"')"); pstmt.execute(); pstmt.close();
(a) Explain very briefly why this site is vulnerable to SQL injection by explaining what happens if the user posts a form with "0 OR 1=1" for the month.
(b) Suppose this is rewritten to use bind arguments, as in slide 32. What Java error will occur when the user posts a form with "0 OR 1=1" for the month? Explain briefly.
(c) What if months are represented in the database as strings, and the prepared statement query is constructed using
ps.setString(2, request.getParameter("month"));Will this now be vulnerable to SQL injection? Explain why or why not.
(a) The Authentication Department at RBB is debating whether its login page should ask for one password or two passwords each time a customer logs in. Should the page just ask for the new password from the one-time password (OTP) token, or is it better to also ask the customer to enter a long-term passwork like they did before? Explain why.
(b) If a RBB customer enters his password from the OTP device to a deceptive RBB phishing site that collects passwords and then sells them on the underground market, will this password be useful to the buyer? Explain.
(c) If a RBB customer enters his password from the OTP device to a deceptive RBB phishing site that is operating as a man-in-the-middle site to defraud bank customers, will this password be useful to the buyer? Explain.
(d) If a RBB customer loses his or her OTP device, what kind of questions should the RBB web site ask before allowing the customer to pay bills online? Explain.
Several years ago, Netscape announced a bug in the way the Navigator browser treated HTTPS connections: if there was one HTTPS connection to a server, then while this session was still open, all new connections via HTTPS to the same site were assumed to be part of the existing SSL session and thus did not require a certificate check. (This bug was fixed the same day it was announced.)
(a) Explain how an attacker could exploit this bug (possibly using DNS cache poisoning), to capture confidential information from someone who thought they had a secure HTTPS session.
(b) DNS-SEC is a set of security extensions to DNS that provide three forms of guarantees:
Can you modify your attack in part (a) to work if DNS-SEC is used? Or will DNS-SEC prevent the attack?
Frame busting, discussed at the end of lecture 8, refers to a technique that enables a web site to ensure that its pages are not opened in a sub-frame of another page.
(a) explain what could go wrong if, say, a banking page is opened in a sub-frame of an attacker's page. You may assume the user is already logged into her account at the banking site. Hint: try to target your attack at users who do not look at the address bar, but instead make trust decisions based on whether personal information is displayed on the page.
(b) IE supports an iframe security attribute invoked as <iframe security="restricted" src="...">. Generally speaking, scripts cannot run in the resulting iframe. Can an attacker use this mechanism to circumvent frame busting code? Can you suggest a way to fix the problem?